Crypto news
--
Opening day of the RSA Data Security conference; This is why you should use a longer key;
NIST calls for a new government crypto standard; Encrypted email coming for Scandanavia / Finland

Skinny DuBaud's rumor column
[1] in news.com alerted me to a Windows NT
4.0 security problem that allows anyone to consume all the CPU time on
an NT Server or Workstation box from across the Internet. A description
[2] of the
problem was posted anonymously to 32bit.com's Pipeline site on 1/21:

> From your "Start" button, choose "Run..." and then type:

> telnet some.nt.host.somewhere 135

> Once telnet connects, type 10-20 characters, any characters...
> Then disconnect or exit telnet... CPU usage on the NT 4.0
> machine... will hit 100% and remain there until rebooted. The
> 'rpcss.exe' process will eat the CPU out of house and home.

Two days later another user, Hector Isias, posted this workaround
[3]:

On March 19 the Supreme Court will hear oral arguments in their review
of a lower-court ruling that the Communications Decency Act is
unconstitutional. The government filed a 55-page brief last week
[4], which the
ACLU described as "at odds with the extensive factual findings of the
trial court." Todd Lapin in the February Wired (p. 46) does some
analysis in order to guess how the individual Justices might vote on this
issue. He comes up with the Supremes upholding the lower court (i.e.,
striking down the CDA) by a vote of 6 to 3, with uncertainty in one of
majority votes and all three of the minority. I can't point you to an
online resource here because Wired doesn't put their print content on
the Web until 6 weeks after press time. (Compare this policy to that
of Scientific American.)

See
[6] for first-day
coverage from the premier crypto conference
[7].
Aaron Burns, the recently appointed government "crypto czar" (he hates
the term -- "I'm mindful of what happened to the real czar," he says),
entered the lions' den and got points for showing up, though he simply
reiterated the Administration's line on key recovery. Burns was
preceded on the program by separate teleconferenced appearances from House
and Senate lawmakers who promised to reintroduce legislation to ease
crypto export (it stalled last term).

Yesterday RSA posted the target cyphers in its new challenge (see TBTF
for 1997-01-11
[8]) and the simplest, the 40-bit puzzle, was broken 3-1/2
hours later. Ian Goldberg, a UC Berkeley graduate student, announced
that he had used about 250 idle machines in the university network to
test 100 billion possible keys per hour. The challenge message, once
deciphered, read "This is why you should use a longer key." Goldberg
wins $1000 from RSA for the quick accomplishment. He is one of the grad
students who in 1995 found a Netscape flaw and cracked their 40-bit
encryption in under a minute
[9]. Goldberg is also signed up as the
instructor for the week-long intensive crypto workshop that precedes the
Financial Cryptogaphy 97 conference
[10] next month on the Caribbean
island of Anguilla.

The National Institute of Standards and Technology has requested
[11]
a new encryption algorithm to replace the Data Encryption Standard,
DES. The new standard is to be called the Advanced Encryption
Standard (AES). It must be a public, symmetric-block cipher with a flexible
key length, implementable into hardware or software, and free from
patent restrictions. The NIST request reflects the marketplace's
rejection of the Skipjack algorithm, which was implemented in the
Clipper chip. A separate NIST advisory committee made up of government
officials and supporters of key escrow is developing a "key management
infrastructure" that would be used with AES.

It was as if an invisible hand wrote these events on the same page. An
alliance of Finland, Norway, Sweden, and Denmark plans to introduce a
smartcard-based secure email service
[12] that will be available to all
citizens of these countries. It will use PGP-based RSA encryption with
a key length of 1024 bits, and no key escrow or key recovery. A Finnish
official said, "Finnish policy has not been to start with regulations
and fear of Net issues. The American discussion on this matter has been
funny to watch, but I hope nobody in Europe or Finland starts to
question the very basics of democracy."

A company called GlobeComm Inc. in New York has registered at least 517
domain names (list at
[13] -- be warned, some of them are mildly
offensive, some quite rude) and is using them as the basis for a "vanity"
email and domain-name businesses. GlobeComm runs a domain-name
brokerage
[14]; they claim to have over 2400 domain names listed for sale,
some of them their own, at prices ranging from a few hundred dollars
upwards of a hundred thousand. And the company operates a vanity email
business based on "iNames"
[15], which they describe as a
second-generation email P.O. box service. (Compare this service with the relative
parsimony of ForeverMail
[16], which runs a similar business on four
domain names.)

Early in 1996 David Milligan founded VanityMail, which he claims was the
first such operation to offer customized addresses, POP service, and
lifetime forwarding. Milligan joined forces last year with Gary Millin
at GlobeComm. The company is funded by private Wall Street capital and
does not disclose earnings. In an interview with Millin and Milligan I
asked whether GlobeComm had ever been sued over domain-name issues.
Millin responded that the company has been involved in over 40 disputes,
but that none has ended up in court. They are all either resolved or
the complaintant simply faded away when GlobeComm didn't cower at
receiving a cease-and-desist order from a lawyer. "I've got a file cabinet
full of them," Millin said

The Scout Report outlines a fascinating experimental service
[17] --
translation of Web pages from English to one of six other languages,
and back.

>>From the Scout Report (1997-01-24):

> SYSTRAN Software, Inc. has made available an experimental (alpha-
> release) web page translation service that will translate non-
> framed pages of 10K or less for any URL you submit (be sure to
> understand what "fully qualified URL" means before you begin),
> from its original langauge to another for selected languages.
> At present, 6 languages (French, German, Italian, Portuguese,
> Spanish, and Russian) are available, though the language trans-
> lated from or to is always English. Translation times can take
> from 30 seconds to 3 minutes or longer, and translations (as
> might be expected) are at times somewhat wooden. This is an ex-
> periment that could foreshadow the hoped-for ideal translation
> services of the future. Note that Netscape and Internet Explorer
> are the only browsers that are fully supported.

Unfortunately the intrepid Internet Scout may have dealt a mortal blow
to SYSTRAN, in the same way that a critic can ruin a good,
undiscovered restaurant by reviewing it favorably. I finally got TBTF's Jargon
Scout page
[18] translated into Spanish -- see the result ("Explorador
De la Jerga") here
[19]. This success followed 19 attempts at all hours
of the day and night over the preceding four days. Some of them timed out
(taking up to 30 minutes) and some returned "Document contains no data."
That's one overloaded translation server.

We all sense that technology is moving fast, but how fast exactly? In
this month's Scientific American W. Brian Arthur takes a good shot at
answering that question, and the answer is: 10 million times faster than
biological evolution. His argument
[20] isn't bulletproof but it is
certainly thought-provoking. My thanks to Scientific American magazine for
their enlightened policy of posting the full content of each issue on
the Web at the same time as it hits the newsstand.

TBTF for 1996-10-31
[21] discussed the parallels between the growth of
railroads in America and the spread of the Net in modern time. A
similar analogy, this one to the early history of radio
[22], has been
developed by <bchris at server dot northernnet dot com> and was featured in
NetSurfer Digest (1997-01-25):

> Then, as now, there were many innovators, experimenters, and compet-
> ing factions that included national governments. It was possible to
> communicate freely with other individuals worldwide with a small in-
> vestment of time and money. And the big companies wanted to control
> it all for themselves.

The radio analogy provides useful insight into (among other things)
the widespresad uncertainty over business models -- i.e., how to make
money from the Net. Neil Weiner <nweiner at mcs dot net> points out the ways
in which today's Net, still well short of mass uptake and acceptance,
compares to radio in the 1920s
[23].

Easter eggs are the amusing personal messages that engineers leave
buried in commercial software. Often they are made visible by some
complicated sequence of key presses and screen events, such as
"Type Control-Shift-Meta-Cokebottle while moving your mouse over the cockroach icon
when the moon is full." See the Easter Egg Archive
[24] for hundreds of
them. Historically, eggs have been platform-specific, but Netscape --
pioneer that it is -- has introduced the cross-platform egg with its
"about:" feature. Try typing "about:logo" into Navigator's Location:
box. There used to be an egg at "about:authors" but it has been removed.
Try it and Navigator tells you so, too loudly (but keep a close watch
on the status line). Type "about:foo" and Mozilla replies with one of two
mock-Ebonic phrases, either one of which might be the 90s equivalent of
"Syntax error."
(The phases come from Americon TV sitcoms of the 1980s: Different Strokes
starring Gary Coleman and In Living Color starring Dayman Wayans. Thanks
to Rich Holland <holland at pobox dot com> for the details.)

Among the many undocumented things Navigator will tell you about are these
two useful ones, turned up by Aaron Breckenridge <dbr056 at airmail dot net>:

The global history is everything you've ever visited; it's how
Navigator knows to render a link in the "visited" color. If you're a packrat,
as I am, go to Options > General Preferences > Appearance and set
"Followed Links Expire" to "Never." Your history file can grow very large
if you do this. Mine was 2.8 MB when I asked Navigator about it. The
program took a very long time to run out of memory, even after I had
granted it 50 MB to play in, and on the Mac at least it can't be
interrupted while doing so.

We'll give the last word to Mozilla, the mythical Godzilla-like creature
who is Netscape's totem. (I had always assumed that the name derives from
"Mosaic gorilla," 900-pound variety; but reader Alejandro Gomez
<nezumi at aurora dot teesa dot com> supplied the more reasonable guess that
Mozilla's parents are Mosaic and Godzilla. Recall that the original name of
the corporation now called Netscape was Mosaic Netscape Communications.)

about:mozilla

> And the beast shall come forth surrounded by a roiling cloud of
> vengeance. The house of the unbelievers shall be razed and they
> shall be scorched to the earth. Their tags shall blink until the
> end of days. -- The Book of Mozilla, 12:10

There are two kinds of people on the Net: those who don't see anything
wrong with blinking text and animated .GIFs and those can't abide them.
It's a religious issue. The divide that cleaves the two camps is their
answer to the following question:

> When you ply the Net, is the experience you're looking for
> like watching TV, or is it like reading?

Notes

Today's TBTF title comes from The Invisible Hand Society, a shadowy
association of journalists whose sole reason for organizing is to
foster competition in getting past their respective editors and into
print the phrase "It was as if an invisible hand..." They have not
invited me to join. Perhaps a journalist who is his own editor and
publisher enjoys too great a competitive advantage. (The original
popularizer of the invisible hand was Adam Smith, in his book The Wealth
of Nations, 1776.)

I recently had the disorienting experience of reading TBTF as it
arrived in the email of an AOL subscriber. The default AOL mailer
font is
proportionally spaced. So for all you AOL subscribers who have been
wondering about the meaningless jumble of characters at the beginning
of each issue: it's a pair of lips rendered in Ascii characters and
intended for monospaced display -- a quaint example of a soon-to-be-forgotten
art. Set the mailer's font to Courier; or read TBTF on the Web, you
betta' off.

TBTF alerts you weekly to bellwethers in computer and communications tech-
nology, with special attention to commerce on the Internet. Published since
1994. See the archive at <http://www.tbtf.com/>. To subscribe send the mes-
sage "subscribe" to tbtf-request@world.std.com. TBTF is Copyright 1996 by
Keith Dawson, <dawson dot tbtf at gmail dot com>. Commercial use prohibited. For non-
commercial purposes please forward and post as you see fit.
_______________________________________________
Keith Dawson dawson dot tbtf at gmail dot com
Layer of ash separates morning and evening milk.